CVE-2022-33684: Apache Pulsar C++ Client man-in-the-middle attack

CVE-2022-33684

The Apache Pulsar Project last week announced the release of an update in response to a recently discovered high-severity vulnerability. Security researcher Michael Rowley has been credited with reporting this flaw.

The vulnerability, tracked as CVE-2022-33684, can be exploited to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.

Apache Pulsar is a distributed pub-sub messaging platform with a very flexible messaging model and an intuitive client API. Originally developed by Yahoo, Pulsar is under the stewardship of the Apache Software Foundation.

CVE-2022-33684

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow ‘issuer url’. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster,” the developers explained in a new advisory. “An attacker can only take advantage of this vulnerability by taking control of a machine ‘between’ the client and the server. The attacker must then actively manipulate traffic to perform the attack.

Affected version

  • Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier.

Unaffected version

  • Apache Pulsar C++ Client and Python Client versions 2.7.5, 2.8.4, 2.9.3, and 2.10.2

Solution

At present, Apache Apache Pulsar has fixed the CVE-2022-33684 vulnerability in the newer version. Users are advised to install please the unaffected version as soon as possible and rotate vulnerable OAuth2.0 credentials, including client_id and client_secret.